Rule Definition
Servlets must be programmed in a thread-safe manner, because the controller will share the same instance for multiple simultaneous requests. In addition to the servlet's threading model, if your intention is to store request-specific state and if your container provides clustering facilities, there's no guarantee that the same servlet instance will receive all the requests (from one user or all users) in a Web application. The use of non static final fields within a Servlet creates a security breach as this object is shared among multiple sessions and thus can lead to confidential data leaks.

Remediation
Review the Class design. Store global information in HttpSession, or use stateful session beans that are specifically targeted for this purpose. For temporary storage in a Servlet use local variables that are scoped within the doGet or doPost methods (or the service method).

Violation Code Sample

public class SampleServlet extends HttpServlet {     private String lastAddr = "nobody@nowhere.com"; // Violation      public void doGet(HttpServletRequest request, HttpServletResponse response)     throws IOException, ServletException {     response.setContentType("text/html");     PrintWriter out = response.getWriter();     out.println("<html>");

Fixed Code Sample

public class SampleServlet extends HttpServlet {      private static final String lastAddr = "nobody@nowhere.com"; // Fixed       public void doGet(HttpServletRequest request, HttpServletResponse response)     throws IOException, ServletException {     response.setContentType("text/html");     PrintWriter out = response.getWriter();     out.println("<html>");

Sun Best Practices